b'         U.S. ENVIRONMENTAL PROTECTION AGENCY\n         OFFICE OF INSPECTOR GENERAL\n\n\n\n                                        Catalyst for Improving the Environment\n\n\nQuick Reaction Report\n\n\n\n\n       Improved Security Planning\n       Needed for the Customer\n       Technology Solutions Project\n       Report No. 10-P-0028\n\n       November 16, 2009\n\x0cReport Contributors:\t                            Rudolph M. Brevard\n                                                 Vincent Campbell\n                                                 Charles M. Dade\n                                                 Cheryl Reid\n\n\n\n\nAbbreviations\n\nASSERT        Automated System Security Evaluation and Remediation Tracking\nCTS           Customer Technology Solutions\nEPA           U.S. Environmental Protection Agency\nNIST          National Institute of Standards and Technology\nOIG           Office of Inspector General\nOMB           Office of Management and Budget\n\n\n\n\nCover photo: Standard Customer Technology Solutions laptop used by EPA employees.\n             (EPA photo)\n\x0c                       U.S. Environmental Protection Agency \t                                                  10-P-0028\n                                                                                                        November 16, 2009\n                       Office of Inspector General\n\n\n                       At a Glance\n                                                                                Catalyst for Improving the Environment\n\nWhy We Did This Review             Improved Security Planning Needed for the\nWe sought to determine             Customer Technology Solutions Project\nwhether the U.S.\n                                    What We Found\nEnvironmental Protection\nAgency (EPA) implemented\n                                   EPA lacks a process to routinely test CTS equipment for known vulnerabilities and to\noversight practices for the\n                                   correct identified threats. Furthermore, EPA placed CTS equipment into production\nCustomer Technology\n                                   without fully assessing the risk the equipment poses to the Agency\xe2\x80\x99s network and\nSolutions (CTS) contract. We\n                                   authorizing the equipment for operations. The Office of Management and Budget\nare continuing our review and\n                                   requires federal agencies to create a security plan for each general support system and\nplan to issue a separate report\n                                   ensure the plan complies with guidance issued by the National Institute of Standards\non whether EPA has responded\n                                   and Technology. Both vulnerability management and the preparation of critical\nto resolve issues identified\n                                   security documents such as the Security Plan and the Authorization to Operate are\nduring CTS deployment, and\n                                   paramount to fulfilling this requirement. These weaknesses exist because EPA\nimplemented processes to\n                                   undertook an aggressive schedule to install over 11,500 computers at 18 locations\neliminate recurring problems\n                                   across the United States. As problems occurred during installation, management\nwith deploying CTS.\n                                   focused its attention on addressing these issues in order to meet the deployment\n                                   schedule milestone.\nBackground\n                                   Given the widespread use of CTS equipment, thousands of information resources\nEPA indicates CTS is the\n                                   provide a path for potential unauthorized access to EPA\xe2\x80\x99s network. EPA lacks\nAgency\xe2\x80\x99s Working Capital\n                                   processes to identify these threats or the capability to lessen their impact.\nFund service, providing and\ncoordinating all information\n                                   On November 9, 2009, management signed an authorization to operate for the CTS\ntechnology end user support\n                                   equipment and outlined key actions that needed to be completed.\nand services for Headquarters\nprogram offices. EPA plans for      What We Recommend\nCTS to be a one-stop shop for\npersonal computing and             We recommend that the Director, Office of Technology Operations and Planning and\ninformation technology support     Chief Technology Officer, Office of Environmental Information, direct the CTS\nservices. EPA will deploy CTS      contractor to develop and implement a vulnerability testing and remediation process\nequipment at 18 locations          for CTS equipment consistent with existing EPA security policies and procedures,\nacross the United States.          and issue a memorandum to Agency Senior Information Officials requiring their\n                                   program office to conduct vulnerability testing of CTS equipment until a formal\nFor further information, contact   vulnerability testing and management process with CTS has been established.\nour Office of Congressional,\nPublic Affairs and Management      Until this process is in place, we further recommend that the Director require the CTS\nat (202) 566-2391.\n                                   contractor to remediate identified vulnerabilities in a timely manner and inform the\nTo view the full report,           respective Senior Information Official when they complete the corrective actions\nclick on the following link:       necessary to fix the vulnerabilities. We also recommend the Director ensure all key\nwww.epa.gov/oig/reports/2010/      actions outlined in the November 9, 2009, CTS authorization to operate are completed\n20091116-10-P-0028.pdf\n                                   by the defined milestone dates.\n\x0c                      UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                   WASHINGTON, D.C. 20460\n\n\n                                                                                        OFFICE OF\n                                                                                   INSPECTOR GENERAL\n\n\n\n                                       November 16, 2009\n\nMEMORANDUM\n\nSUBJECT:               Improved Security Planning Needed for the\n                       Customer Technology Solutions Project\n                       Report No. 10-P-0028\n\n\nFROM:\t                 Rudolph M. Brevard\n                       Director, Information Resources Management Assessments\n\nTO:\t                   Vaughn Noga\n                       Acting Director, Office of Technology Operations and Planning and\n                       Chief Technology Officer, Office of Environmental Information\n\n\nThis is our report on the subject audit conducted by the Office of Inspector General (OIG) of the\nU.S. Environmental Protection Agency (EPA). This report contains findings that describe the\nproblems the OIG has identified and corrective actions the OIG recommends. This report\nrepresents the opinion of the OIG and does not necessarily represent the final EPA position.\nFinal determinations on matters in this report will be made by EPA managers in accordance with\nestablished audit resolution procedures.\n\nThe estimated cost of this report \xe2\x80\x93 calculated by multiplying the project\xe2\x80\x99s staff days by the\napplicable daily full cost billing rates in effect at the time \xe2\x80\x93 is $271,418.\n\nAction Required\n\nIn accordance with EPA Manual 2750, you are required to provide a written response to this\nreport within 90 calendar days. You should include a corrective actions plan for agreed-upon\nactions, including milestone dates. We have no objections to the further release of this report to\nthe public. This report will be available at http://www.epa.gov/oig.\n\nIf you or your staff have any questions regarding this report, please contact me at (202) 566-0893\nor brevard.rudy@epa.gov; or Cheryl Reid, Project Manager, at (919) 541-2256 or\nreid.cheryl@epa.gov.\n\x0cImproved Security Planning Needed for the                                                                                          10-P-0028\nCustomer Technology Solutions Project\n\n\n\n\n                                         Table of Contents \n\nPurpose .............................................................................................................................    1\n\n\nBackground .......................................................................................................................       1     \n\n\nScope and Methodology ..................................................................................................                 1     \n\n\nFindings .............................................................................................................................   2\n\n\n           CTS Project Lacks a Process to Identify and Remediate Known Vulnerabilities......                                             2\n\n           CTS Project Lacks Required Security Planning.......... ..................................................                     3\n\n\nRecommendations............................................................................................................              5     \n\n\nStatus of Recommendations and Potential Monetary Benefits....................................                                            6     \n\n\n\n\nAppendix \n\n    A         Distribution .........................................................................................................\n    7\n\x0c                                                                                              10-P-0028 \n\n\n\nPurpose\nThe Office of Inspector General (OIG) sought to determine whether the U.S. Environmental\nProtection Agency (EPA) implemented oversight practices for the Customer Technology\nSolutions (CTS) contract.\n\nBackground\nEPA indicates CTS is the Agency\xe2\x80\x99s\nWorking Capital Fund service,\nproviding and coordinating all\ninformation technology end user\nsupport and services for Headquarters\nprogram offices. EPA plans for CTS\nto be a single stop for personal\ncomputing and information technology\nsupport services. As shown on the\nmap at right, EPA will place CTS\nequipment in 18 locations across the\nUnited States.                              Source: EPA Office of Environmental Information Intranet\n\n\nScope and Methodology\nWe performed this audit from April 2009 through October 2009 at EPA Headquarters in\nWashington, DC, and the National Computer Center in Durham, North Carolina. We also visited\nthe Headquarters field offices located in Las Vegas, Nevada, and the following EPA laboratories:\n\n       \xe2\x80\xa2   National Exposure Research Laboratory in Athens, Georgia\n       \xe2\x80\xa2   National Air and Radiation Laboratory in Montgomery, Alabama\n       \xe2\x80\xa2   National Vehicle and Fuel Emissions Laboratory in Ann Arbor, Michigan\n\nWe performed this audit in accordance with generally accepted government auditing standards.\nThese standards require that we plan and perform the audit to obtain sufficient and appropriate\nevidence to provide a reasonable basis for our findings and conclusions based on the audit\nobjectives. We believe the evidence obtained provides a reasonable basis for our findings and\nconclusions.\n\nWe reviewed the CTS statement of work and interviewed EPA and contractor personnel\nresponsible for overseeing the CTS project. We also spoke with EPA Program Office officials\nusing the CTS equipment and EPA security personnel responsible for responding to security\nincidents for their respective offices.\n\nWe had not performed past audits of CTS. We did however, issue a report related to\nvulnerability management entitled Project Delays Prevent EPA from Implementing an Agency-\nwide Information Security Vulnerability Management Program, Report No. 09-P-0240,\nSeptember 21, 2009.\n\n\n                                                1\n\n\x0c                                                                                         10-P-0028 \n\n\n\n\n\nFindings\nEPA lacks a process to routinely test CTS computers for known vulnerabilities and a defined\nstructure to remediate them. These weaknesses exist because EPA did not specify, in the CTS\nstatement of work, that the CTS contractor was to perform vulnerability management. EPA\ninstalled CTS equipment without assessing the risks to the Agency\xe2\x80\x99s network and without\nauthorizing the equipment for operations. Appendix III to Office of Management and Budget\n(OMB) Circular A-130, Security of Federal Automated Information Resources, requires federal\nagencies to create a security plan for each general support system. OMB also requires the plan\nto comply with guidance issued by the National Institute of Standards and Technology (NIST).\nBoth vulnerability management and the preparation of critical security documents such as the\nSecurity Plan and the Authorization to Operate are necessary to meet this requirement.\n\nEPA officials indicated the CTS equipment did not have all required security documents because\nEPA officials rejected the contractors\xe2\x80\x99 initial security plan. EPA officials indicated meeting this\nrequirement became a lower priority due to the aggressive schedule the Agency was under for\ndeploying the CTS equipment. As such, management lacks information it needs to protect the\nAgency\xe2\x80\x99s network from possible threats posed by the CTS equipment. Given the widespread use\nof CTS equipment in EPA, thousands of unmonitored assets reside on the Agency\xe2\x80\x99s network.\nThe unmonitored assets could potentially provide a path for someone to obtain unauthorized\naccess to the Agency\xe2\x80\x99s network. Without taking action, EPA\xe2\x80\x99s network remains exposed to\npossible threats without a process to identify them or the means to lessen their impact in a timely\nmanner.\n\nCTS Project Lacks a Process to Identify and Remediate Known Vulnerabilities\n\nEPA does not have a process in place to test CTS equipment for known vulnerabilities. Based on\ndiscussions with both EPA and CTS contractor staff, none of the personnel knew whether there\nwas a process in place. In addition, all indicated that this task was not being performed. Review\nof the CTS statement of work disclosed that vulnerability testing was not part of the CTS team\xe2\x80\x99s\nresponsibility.\n\nDuring our annual review of EPA\xe2\x80\x99s information security program, OIG contractors conducted\nnetwork vulnerability testing of EPA Headquarters program office networks and identified\nseveral high-risk vulnerabilities. Summary results of these tests are posted on the OIG\xe2\x80\x99s\nWebsite. Upon analysis of these network tests, EPA system owners stated they do not have the\ncapability to fix the vulnerabilities. System owners stated they do not have system\nadministration rights for CTS equipment. Therefore, they are unable to remediate the high-risk\nvulnerabilities. System owners also indicated they are not aware of the process to mitigate\nvulnerabilities for CTS equipment connected to the Agency\xe2\x80\x99s network. They also stated that\nthey do not know who is responsible for conducting the assessments and correcting known\nvulnerabilities for CTS equipment.\n\nNIST Special Publication 800-123, Guide to General Server Security, states that vulnerability\ntesting should occur on a weekly to monthly basis. NIST stresses that this ongoing testing is\n\n\n                                                 2\n\n\x0c                                                                                                10-P-0028 \n\n\n\nextremely important for mitigating vulnerabilities as soon as possible to prevent them from being\ndiscovered and exploited. EPA requires the CTS contractor to use the Agency\xe2\x80\x99s tool that checks\nsystems for correct configuration settings. However, this tool does not have the means to detect\nand provide solutions to remediate commonly known security vulnerabilities.\n\nCompounding this issue, EPA has not made progress on four key audit recommendations we\nmade in 2004 and 2005.1 This lack of progress inhibits EPA from providing an Agency-wide\nprocess for security monitoring of its computer network. Given the widespread use of CTS\ncomputers throughout EPA and the fact that EPA does not have its own vulnerability\nmanagement program, EPA has hampered its ability to know what threats exists on its network.\n\nCTS Project Lacks Required Security Planning\n\nEPA had not taken steps to fully assess the threats CTS equipment pose to the Agency\xe2\x80\x99s\nnetwork. Fundamental to the assessment is preparing a Security Plan. The purpose of the\nsystem Security Plan is to provide an overview of the security requirements of the system and to\ndescribe the controls in place or planned for meeting those requirements. The Security Plan\noutlines responsibilities and expected behavior of all individuals who access the system. The\nmain component in having an\napproved Security Plan is certifying                    OMB Guidance on Security of\n                                                 Federal Automated Information Resources\nthe extent to which security controls\nare implemented correctly,                                    Plan for adequate security of each\n                                          System Security     general support system as part of the\noperating as intended, and                      Plan          organization\xe2\x80\x99s information resources\nproducing the desired outcome.                                management planning process.\nThis certification process results in                         Ensure that a management official\nan EPA official formally                                      authorizes in writing the use of each\nauthorizing a system to operate.             Authorize        general support system based on\n                                               Processing         implementation of its security plan\n                                                                  before beginning or significantly\nOMB Circular A-130 requires                                       changing processing in the system.\nagencies to establish a minimum set\n                                          Source: OIG extract from OMB Circular A-130\nof controls to be included in federal\nautomated information security programs. OMB further cites the Security Plan, Authorization to\nOperate, and incident handling as critical components. Likewise, OMB indicates, depending on\nthe potential risk and magnitude of harm that could occur, management should consider\nidentifying a deficiency pursuant to OMB Circular A-123, Management Accountability and\nControl. OMB also indicates that management should report, under the Federal Managers\xe2\x80\x99\nFinancial Integrity Act, if there is no Security Plan or no Authorization to Operate.\n\nHeadquarters\xe2\x80\x99 offices replaced their equipment with equipment provided by the CTS contractor.\nTherefore, the offices did not feel they had responsibility for monitoring the security of this\nequipment. Program office officials indicated the Agency had not established roles of\nresponsibilities agreements with their offices. Therefore, they are not sure what role they play in\nprotecting the Agency\xe2\x80\x99s network when it comes to CTS equipment. Furthermore, without\ndefined roles and responsibilities it would be difficult for them to answer questions related to\n\n1\n EPA\xe2\x80\x93OIG. Project Delays Prevent EPA from Implementing an Agency-wide Information Security Vulnerability\nManagement Program. Report No. 09-P-0240, September 21, 2009.\n\n\n                                                     3\n\n\x0c                                                                                       10-P-0028 \n\n\n\nCTS equipment certification and accreditation, system inventory, or contractor oversight. EPA\nmanagement indicated it rejected the initial Security Plan submitted by the CTS contractor.\nManagement cited that this led to no security plan being in place for the CTS equipment.\nManagement indicated that the rejected Security Plan lacked the specific details that were\nrequired by NIST. Management indicated that due to the time schedule for deploying the CTS\nequipment, completing the security documentation became a lower priority.\n\nManagement showed us a draft security plan they planned to send through their office\xe2\x80\x99s quality\nassurance process. Management indicated the CTS contractor also conducted network\nvulnerability testing of a sample of deployed CTS machines. Management indicated this was a\none-time test in support of the risk assessment needed to complete the CTS Security Plan.\nManagement also indicated it is drafting a memorandum of understanding to be signed by each\nprogram office that has CTS equipment. However, although EPA indicated it would take steps\nto put in place CTS security documents, 3 months have past since our meeting with management\nand the Security Plan and memorandum of understandings with the EPA offices have not been\nfinalized.\n\nOn November 9, 2009, EPA signed an authorization to operate for the CTS equipment. This\nauthorization outlines milestone dates in which the CTS contractor must:\n\n       \xe2\x80\xa2\t update the CTS security plan,\n       \xe2\x80\xa2\t complete an inventory record in the Agency\xe2\x80\x99s Registry of EPA Applications and\n          Databases,\n       \xe2\x80\xa2\t document NIST required security controls for system life cycle management,\n       \xe2\x80\xa2\t establish Plans of Action and Milestones in the Agency\xe2\x80\x99s Automated System Security\n          Evaluation and Remediation Tracking (ASSERT) system to document remediation\n          for high or moderate findings from the independent Risk Assessment,\n       \xe2\x80\xa2\t establish memoranda of understanding with all appropriate organizations with CTS-\n          defined roles, and\n       \xe2\x80\xa2\t refine the Contingency Plan.\n\nDuring our November 9, 2009, meeting with EPA, management indicated that it issued a\nmemorandum to Senior Information Officials regarding their responsibilities for conducting\nvulnerability testing and that the requirement is in place within the Agency. While management\nissued a memorandum, this memorandum required the Senior Information Officials to conduct\nvulnerability testing of the equipment they own. Since the program offices do not own the CTS\nequipment, management should update its guidance so the Agency Senior Information Officials\nunderstand the complete scope of their responsibility for conducting vulnerability testing.\n\nWe believe further delays in putting in place a formal security structure for the CTS equipment\nplaces EPA\xe2\x80\x99s network at great risk. As such, potential security holes may exist and EPA\ncontinues to not have an effective management control process to deal with these potential\nweaknesses.\n\n\n\n\n                                                4\n\n\x0c                                                                                        10-P-0028 \n\n\n\nRecommendations\nWe recommend the Director, Office of Technology Operations and Planning and Chief\nTechnology Officer, Office of Environmental Information:\n\n   1. \t Direct the CTS contractor to develop and implement a vulnerability testing and\n        remediation process for CTS equipment consistent with existing EPA security policies\n        and procedures. This procedure should (a) specify the roles and responsibilities for EPA\n        information security personnel and CTS contractors, and (b) require communicating the\n        vulnerability results and resolutions with the applicable EPA program offices.\n\n   2. \t Issue a memorandum to Agency Senior Information Officials requiring their program\n        office to conduct vulnerability testing of CTS equipment until a formal vulnerability\n        testing and management process with CTS has been established. The vulnerability test\n        results should be forwarded to the CTS contractors for remediation.\n\n   3. \t Direct the CTS contractor to remediate identified vulnerabilities in a timely manner and\n        to provide evidence to the initiating Senior Information Official when corrective actions\n        have been taken. This action should continue until management establishes a formal\n        vulnerability testing and management process with CTS.\n\n   4. \t Ensure all key actions outlined in the November 9, 2009, CTS Authorization to Operate\n        are completed by the defined milestone dates.\n\n   5. \t Create Plans of Action and Milestones for the above recommendations in ASSERT.\n\n\n\n\n                                                5\n\n\x0c                                                                                                                                              10-P-0028\n\n\n\n                                  Status of Recommendations and\n                                    Potential Monetary Benefits\n\n                                                                                                                                    POTENTIAL MONETARY\n                                                     RECOMMENDATIONS                                                                 BENEFITS (in $000s)\n\n                                                                                                                        Planned\n    Rec.    Page                                                                                                       Completion   Claimed    Agreed To\n    No.      No.                           Subject                           Status1         Action Official              Date      Amount      Amount\n\n     1        5     Direct the CTS contractor to develop and                   O            Director, Office of\n                    implement a vulnerability testing and remediation                  Technology Operations and\n                    process for CTS equipment consistent with existing                     Planning and Chief\n                    EPA security policies and procedures. This                         Technology Officer, Office of\n                    procedure should (a) specify the roles and                          Environmental Information\n                    responsibilities for EPA information security\n                    personnel and CTS contractors, and (b) require\n                    communicating the vulnerability results and\n                    resolutions with the applicable EPA program\n                    offices.\n\n     2        5     Issue a memorandum to Agency Senior                        O            Director, Office of\n                    Information Officials requiring their program office               Technology Operations and\n                    to conduct vulnerability testing of CTS equipment                      Planning and Chief\n                    until a formal vulnerability testing and management                Technology Officer, Office of\n                    process with CTS has been established. The                          Environmental Information\n                    vulnerability test results should be forwarded to the\n                    CTS contractors for remediation.\n                                                                               O            Director, Office of\n     3        5     Direct the CTS contractor to remediate identified                  Technology Operations and\n                    vulnerabilities in a timely manner and to provide                      Planning and Chief\n                    evidence to the initiating Senior Information Official             Technology Officer, Office of\n                    when corrective actions have been taken. This                       Environmental Information\n                    action should continue until management\n                    establishes a formal vulnerability testing and\n                    management process with CTS.\n\n     4        5     Ensure all key actions outlined in the November 9,         O            Director, Office of\n                    2009, CTS Authorization to Operate are completed                   Technology Operations and\n                    by the defined milestone dates.                                        Planning and Chief\n                                                                                       Technology Officer, Office of\n                                                                                        Environmental Information\n\n     5        5     Create Plans of Action and Milestones for the              O            Director, Office of\n                    above recommendations in ASSERT.                                   Technology Operations and\n                                                                                           Planning and Chief\n                                                                                       Technology Officer, Office of\n                                                                                        Environmental Information\n\n\n\n\n1    O = recommendation is open with agreed-to corrective actions pending\n     C = recommendation is closed with all agreed-to actions completed\n     U = recommendation is undecided with resolution efforts in progress\n\n\n\n\n                                                                                   6\n\n\x0c                                                                                       10-P-0028\n\n\n                                                                                   Appendix A\n\n                                       Distribution\n\nOffice of the Administrator\nActing Assistant Administrator for Environmental Information and Chief Information Officer\nActing Director, Office of Technology Operations and Planning and Chief Technology Officer,\n    Office of Environmental Information\nActing Director, Technology and Information Security Staff, Office of Environmental Information\nAgency Follow-up Official (the CFO)\nAgency Follow-up Coordinator\nGeneral Counsel\nAssociate Administrator for Congressional and Intergovernmental Relations\nAssociate Administrator for Public Affairs\nAudit Follow-up Coordinator, Office of Environmental Information\nActing Inspector General\n\n\n\n\n                                                 7\n\n\x0c'